The call came in at 11 PM on a Tuesday. A mid-sized accounting firm in Parramatta had been hit with ransomware. Their files were encrypted, their backups were compromised, and their client portal was leaking data. The director was calm—not because he had good backups, but because he had a $2 million cyber insurance policy.
Three weeks later, that same director was on the phone with us, asking a question we'd heard before: *"Why won't they pay?"*
The answer was in Section 14, Clause 7B of his policy wording: "Failure to maintain industry-standard security controls, including multi-factor authentication on all privileged accounts, shall void coverage for incidents resulting from credential compromise."
His admin accounts didn't have MFA. The policy didn't pay. He was $400,000 out of pocket for recovery, legal fees, and notification costs.
This isn't a horror story from America. This is Sydney, 2025. And it's more common than you think.
The Australian Cyber Insurance Landscape in 2026
If you renewed your cyber insurance in the past 18 months, you probably noticed two things: premiums went up, and coverage got thinner.
- ▸Average premium increases: 40–60% year-on-year for Australian SMEs (Insurance Council of Australia, 2025)
- ▸More insurers exiting: Several Lloyd's syndicates have stopped writing standalone cyber in Australia
- ▸Sub-limits are now standard: Social engineering, business interruption, and ransomware payments are often capped at $50K–$100K regardless of your total policy limit
- ▸"Reasonable security" clauses are broader: Insurers learned from 2023–2024 losses and rewrote their wordings
Here's the part no one tells you: the marketing summary your broker showed you isn't the policy. The 40-page schedule of exclusions is the policy. And almost no one reads it until they're making a claim.
The Five Traps We See in Every Policy Review
At Cloudscape, we don't sell insurance. But we've been brought in after enough incidents to see the same patterns. These are the five traps that catch Australian businesses every time.
Trap 1: The "Prior Knowledge" Exclusion
What it says: If you knew about a vulnerability or security weakness before the incident, coverage is void.
What it means: Your last penetration test found unpatched systems. You added it to the "next quarter" list. The attacker found it first. The insurer argues you had "prior knowledge" of the weakness and chose not to fix it.
Real case: A Melbourne legal firm had a 2024 pen test report flagging exposed RDP. They planned to fix it in their 2025 IT refresh. In February 2025, a ransomware group brute-forced the RDP, moved laterally, and encrypted everything. The insurer denied the $180K claim. The pen test report was their evidence.
How to avoid it: Treat pen test findings like asbestos reports—documented, prioritised, and acted on. If you can't fix something immediately, get the residual risk signed off by leadership and insurer-notified in writing.
Trap 2: The "Social Engineering" Sub-Limit
What it says: Your policy limit is $1 million. But social engineering claims are capped at $50,000.
What it means: The phishing email that tricked your finance officer into wiring $400K to a fraudulent account? You're getting $50K back, if you're lucky. The rest is on you.
The numbers: Social engineering is now the primary attack vector for 91% of Australian breaches (OAIC Notifiable Data Breaches Report, 2025). Yet many policies treat it as an afterthought.
Real case: A Sydney construction firm's CFO received a polished email—correct logo, correct email thread history, spoofed sender—authorising a $280K payment to a "new supplier." It was a BEC scam. Their $1.5M policy paid $50K. The firm absorbed $230K plus the reputational damage of explaining the loss to their board.
How to avoid it: Read the sub-limits table carefully. If social engineering is capped below your exposure, negotiate. If the insurer won't budge, build internal controls (out-of-band verification for transfers, callback procedures) that reduce the likelihood of the loss in the first place.
Trap 3: The "War / Cyber War" Exclusion
What it says: Claims arising from war, cyber war, or acts of foreign governments are excluded.
What it means: Almost every major ransomware group operates from jurisdictions with known nation-state ties or safe harbour. Insurers have argued—successfully—that attacks by Russian, Chinese, or North Korean groups fall under this exclusion.
Real case: A Perth logistics company hit by LockBit 3.0 in late 2024. Their insurer engaged a law firm to determine LockBit's "attribution." Eight months later, the claim was still unresolved. The company had to fund their own recovery while the lawyers argued about whether a criminal syndicate with Russian-speaking affiliates counts as "cyber war."
How to avoid it: You can't. This exclusion is in virtually every policy. What you *can* do is ensure your incident response plan doesn't depend on insurance payout timelines. Build your immutable backups and rehearse your recovery. Insurance is a backstop, not a strategy.
Trap 4: The "Failure to Maintain" Clause
What it says: Coverage is conditional on maintaining "industry-standard" or "reasonable" security controls.
What it means: The insurer decides what "industry-standard" means, usually after the incident. If your patching was two weeks behind, or your endpoint detection wasn't configured optimally, they may argue you failed to maintain reasonable security.
Real case: A Brisbane healthcare provider with 60 staff. They had EDR (endpoint detection and response) deployed, but the agent on one critical server had been offline for three weeks due to a certificate issue. An attacker used that blind spot to deploy ransomware. The insurer's forensic team noted the offline EDR and reduced the payout by 40%, citing "failure to maintain continuous monitoring."
How to avoid it: Document your security baseline. Use the ACSC Essential Eight as your minimum viable standard—not because it's perfect, but because it's a published, defensible benchmark. If you can show an auditor (or an insurer) that you measured yourself against the Essential Eight and had a plan to close gaps, you're in a much stronger position than if you can't explain what "reasonable" meant to you.
Trap 5: The Notification Clock
What it says: You must notify the insurer within 24–72 hours of discovering the incident.
What it means: If you're busy responding to an active breach, engaging lawyers, and trying to keep your business running, you might miss the window. Some policies also require immediate notification to law enforcement or regulatory bodies (OAIC for notifiable data breaches under the Privacy Act).
Real case: A Sydney real estate agency discovered a breach on a Friday evening. Their IT person was on leave. By the time they engaged external help and notified the insurer on Tuesday, the 72-hour window had closed. The insurer accepted the claim but imposed a 25% co-payment penalty for "late notification." The business paid an extra $45K they hadn't budgeted for.
How to avoid it: Put the insurer's 24/7 hotline and your policy number in your incident response plan. Not in a drawer. In the plan that your team rehearses. The first 24 hours of an incident are chaotic. You don't want to be Googling your broker's mobile number while your network is on fire.
What to Do Before You Renew
If your cyber insurance renewal is coming up—or even if it's not—here's the practical checklist we give our clients.
1. Demand the Full Policy Wording
Not the marketing summary. Not the "key facts sheet." The full 40-page schedule with all endorsements and exclusions. Read Section 1 (what's insured) and Section 2 (what's excluded). Then read them again.
2. Map Your Controls to Policy Conditions
- ▸MFA on all remote access and privileged accounts
- ▸Regular offline backups with restoration testing
- ▸EDR on all endpoints
- ▸Annual penetration testing
- ▸Patch management within 30 days of release
Do an honest gap analysis. If you can't meet a condition, either fix it or accept that you're self-insuring that risk.
3. Get a Broker Who Understands Cyber
- ▸Can explain the difference between "first-party" and "third-party" coverage
- ▸Knows which insurers have a track record of paying claims in Australia
- ▸Has seen claims denied and knows why
- ▸Will advocate for you during a dispute, not just sell you the policy
4. Document Your Security Posture Quarterly
- ▸Quarterly vulnerability scan results
- ▸Patch compliance reports
- ▸MFA enrollment audits
- ▸Backup restoration test logs
- ▸Incident response drill records
...you're in a much stronger position if a claim is disputed. It also helps your broker negotiate better premiums at renewal.
5. Understand Your Real Exposure
Most SMEs buy cyber insurance based on a number that feels right—"a million dollars should be enough." It rarely is. Here's a rough guide for Australian businesses:
| Cost Category | Typical Range |
|---|---|
| Incident response & forensics | $15K–$80K |
| Legal fees (regulatory, notification, defence) | $30K–$200K |
| Business interruption (per day) | $5K–$50K |
| Data recovery & system rebuild | $20K–$150K |
| Regulatory fines (OAIC, industry bodies) | $10K–$2M |
| Notification & credit monitoring (per affected record) | $5–$15 |
| Reputational harm / client loss | Unquantifiable |
If you have 5,000 client records, a breach with notification requirements could cost $75K just for credit monitoring. Add forensics, legal, and a week of downtime, and you're well past $200K.
When Insurance Isn't the Answer
Here's the uncomfortable truth we save for the end.
Cyber insurance doesn't prevent breaches. It doesn't patch your systems, train your staff, or stop the phishing email from landing. It just determines who pays for the mess—and only after months of negotiation, forensic reports, and legal review.
- ▸Immutable backups they can actually restore from
- ▸MFA everywhere that matters
- ▸Tested incident response plans that their team has rehearsed
- ▸Clear documentation of their security posture
Insurance is a safety net, not a strategy. Build your resilience first. Then buy the policy to cover what you can't absorb.
And read the fine print. Twice.
---
Cloudscape IT Consulting helps Australian businesses build cyber resilience that works in the real world—not just on paper. If you're unsure whether your insurance matches your actual risk, get in touch. We'll give you an honest assessment, no sugar-coating.
